b'      Department of Homeland Security\n\n\n\n             Transportation Security Administration \n\n             Has Taken Steps To Address the Insider \n\n                Threat But Challenges Remain \n\n\n                           (Redacted) \n\n\n\n\n\nOIG-12-120                                   September 2012\n\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\n                                       September 25, 2012\n\n   MEMORANDUM FOR:              Dr. Emma Garrison-Alexander\n                                Assistant Administrator for Information Technology\n                                Transportation Security Administration\n\n   FROM:                        Frank Deffer\n                                Assistant Inspector General\n                                Information Technology Audits\n\n   SUBJECT:                     Transportation Security Administration Has Taken Steps\n                                To Address the Insider Threat But Challenges Remain\n\n   Attached for your action is our final report, Transportation Security Administration Has\n   Taken Steps to Address the Insider Threat But Challenges Remain. We incorporated the\n   formal comments from the Transportation Security Administration (TSA) in the final\n   report.\n\n   The report contains four recommendations aimed at improving TSA\xe2\x80\x99s insider threat\n   program. TSA concurred with two recommendations. As prescribed by Department of\n   Homeland Security Directive 077-1, Follow-Up and Resolutions for the Office of\n   Inspector General Report Recommendations, within 90 days of the date of this\n   memorandum, please provide our office with a written response that includes your\n   (1) agreement or disagreement, (2) corrective action plan, and (3) target completion\n   date for each recommendation. Also, please include responsible parties and any other\n   supporting documentation necessary to inform us about the current status of the\n   recommendation. Until your response is received and evaluated, the recommendations\n   will be considered open and unresolved.\n\n   Consistent with our responsibility under the Inspector General Act, we are providing\n   copies of our report to appropriate congressional committees with oversight and\n   appropriation responsibility over the Department of Homeland Security. We will post\n   the report on our website for public dissemination.\n\n\n   Please call me with any questions at (202) 254-4100, or your staff may contact\n   Richard Saunders, Director, Advanced Technology Division, at (202) 254-5440.\n\n   Attachment\n\n\n\n\nwww.oig.dhs.gov                                                                      OIG-12-120\n\x0c                                         OFFICE OF INSPECTOR GENERAL\n                                               Department of Homeland Security\n\n\n   Table of Contents\n   Executive Summary............................................................................................................. 1\n\n\n   Background ......................................................................................................................... 2\n\n\n   Results of Audit ................................................................................................................... 4\n\n\n              TSA Has Taken Steps To Address the Risk of Insider Threats ................................. 4\n\n              Challenges Remain in Implementing a Robust Insider Threat Program................. 9\n\n              Recommendations ................................................................................................ 13\n\n              Management Comments and OIG Analysis .......................................................... 14\n\n\n   Appendixes\n              Appendix A:           Objectives, Scope, and Methodology ........................................... 19\n\n              Appendix B:           Management Comments to the Draft Report .............................. 21\n\n              Appendix C:           TSA\xe2\x80\x99s Layers of Security ................................................................ 27\n\n              Appendix D:           OIG Assessment of Selected TSA Information Systems................ 31\n\n              Appendix E:           Major Contributors to This Report ............................................... 33\n\n              Appendix F:           Report Distribution ....................................................................... 34\n\n\n   Abbreviations\n              BDO                   Behavior Detection Officer\n              CERT                  Computer Emergency Response Team\n              CIO                   Chief Information Officer\n              CISO                  Chief Information Security Officer\n              DHS                   Department of Homeland Security\n              FAMS                  Federal Air Marshall Service\n              FBI                   Federal Bureau of Investigation\n              FSD                   Federal Security Director\n              GSS                   General Support System\n              IT                    information technology\n              ITTF                  Insider Threat Task Force\n              JTTF                  Joint Terrorism Task Force\n              MD                    management directive\n              MDVA                  Multiple Disciplinary Vulnerability Assessments\n              NFL                   No Fly List\n              NIST                  National Institute of Standards and Technology\n\n\nwww.oig.dhs.gov                                                                                                                OIG-12-120\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\n           OIG        Office of Inspector General\n           OIT        Office of Information Technology\n           OLE/FAMS   Office of Law Enforcement/Federal Air Marshall Service\n           OOI        Office of Inspection\n           SOC        Security Operations Center\n           TSA        Transportation Security Administration\n           TSO        Transportation Security Officer\n           USB        universal serial bus\n\n\n\n\nwww.oig.dhs.gov                                                                OIG-12-120\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\nExecutive Summary\nWe reviewed the Transportation Security Administration\xe2\x80\x99s (TSA\xe2\x80\x99s) efforts to address insider\nthreat risks. Our objective was to assess the progress that TSA has made toward protecting its\ninformation systems and data from the threat posed by trusted employees. The scope and\nmethodology of this audit are discussed further in appendix A.\n\nTSA has made progress in addressing the information technology insider threat. Specifically,\nTSA has established an agency wide Insider Threat Working Group and Insider Threat Section\nresponsible for developing an integrated strategy and program to address insider threat risk.\nFurther, TSA is conducting insider threat vulnerability assessments that include personnel,\nphysical, and information systems at selected airports and off site offices. Also, TSA is\nperforming checks on privileged user accounts on TSA unclassified systems. The checks include\nprivileged access accounts and rights granted to system administrators or to other employees\nwhose job duties require specific privileges over an information system or network. Additionally,\nTSA has established a Security Operations Center responsible for day to day protection of\ninformation systems and data that can detect and respond to an insider threat incident.\n\nTSA can further develop its program by implementing insider threat policies and procedures, a\nrisk management plan, and an insider threat specific training and awareness program for all\nemployees. Also, TSA can strengthen its situational awareness security posture by centrally\nmonitoring all information systems and by augmenting current controls to better detect or\nprevent instances of unauthorized removal or transmission of sensitive information outside of\nTSA\xe2\x80\x99s network boundaries.\n\nWe are making four recommendations that, if implemented, would improve TSA\xe2\x80\x99s overall\nmanagement of insider threat risk. TSA concurred with two recommendations and did not\nconcur with two.\n\n\n\n\nwww.oig.dhs.gov                                 1                                      OIG-12-120\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n   Background\n   TSA protects the Nation\xe2\x80\x99s transportation systems to ensure freedom of movement for\n   people and commerce. It is responsible for:\n\n   \xe2\x80\xa2\t Screening passengers, baggage, and cargo to prevent the smuggling of explosives\n      and other contraband by terrorists and other dangerous suspects;\n\n   \xe2\x80\xa2\t Training, monitoring, and certifying Federal flight deck officers, armed security\n      officers, commercial inspectors, and pilot license schools; and\n\n   \xe2\x80\xa2\t Leading and conducting security threat assessments and credentialing initiatives for\n      all national modes of transportation, including aviation, maritime, mass transit,\n      highway, freight rail, and pipelines.\n\n   TSA relies on sensitive transportation security information to meet these objectives.\n   Every day TSA, airline, and airport vendors or contractors have privileged access to\n   restricted areas that include TSA information systems at the Nation\xe2\x80\x99s 459 federalized\n   commercial airports, which could include areas where TSA information systems are\n   being used.1 As of November 2011, TSA employees consisted of approximately 66,023\n   Federal employees, of which 51,930 (79 percent) are Transportation Security Officers\n   (TSOs) responsible for screening passengers, carry on baggage, and checked baggage to\n   prevent prohibited objects from being transported on an aircraft.\n\n   TSA defines an insider threat as one or more individuals with access or insider\n   knowledge that allows them to exploit the vulnerabilities of the Nation\xe2\x80\x99s transportation\n   systems with the intent to cause harm. Types of insider threats could include spying,\n   release of information, sabotage, corruption, impersonation, theft, smuggling, and\n   terrorist attacks. Trusted insiders can be current or former TSA employees, contractors,\n   or partners who have or had authorized access to TSA\xe2\x80\x99s operations, systems, and data.\n\n   Based on job function or status within the organization, trusted insiders are typically\n   given unfettered or elevated access to mission critical assets, and therefore would be\n   thoroughly familiar with internal policies and procedures, electronic building access\n   systems used for physical security, and technical access controls such as firewalls and\n   intrusion detection systems used for information security. These employees are usually\n   familiar with the weaknesses of organizational policies and procedures, as well as\n   physical and technical vulnerabilities in computer networks and information systems.\n\n   1\n       Federalized commercial airports operate under TSA-approved security programs.\n\n\nwww.oig.dhs.gov                                        2                               \t   OIG-12-120\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n   This institutional knowledge poses a continual risk to TSA because in the wrong hands it\n   could be used to facilitate malicious attacks and even collusion with external attackers\n   against the organization. The unauthorized disclosure of transportation security\n   information could have an adverse effect on the security of transportation systems,\n   equipment, personnel, or passengers.\n\n   TSA currently has multiple layers (i.e., inherent programs or processes) in place that\n   help identify risks to transportation security and could be utilized to mitigate the risks\n   posed by the insider threat. Appendix C lists these layers of security and briefly\n   describes individual security programs.\n\n   Since 2001, the Computer Emergency Response Team (CERT) Insider Threat Center of\n   the Software Engineering Institute at Carnegie Mellon University has researched and\n   gathered data about malicious insider acts, including information technology (IT)\n   sabotage, fraud, theft of confidential or proprietary information, espionage, and\n   potential threats to our Nation\'s critical infrastructures. CERT has researched\n   approximately 400 insider threat cases, including fraud, sabotage, and theft of\n   intellectual property, that have been prosecuted in the United States.\n\n   CERT has collaborated with U.S. Secret Service behavioral psychologists to collect\n   approximately 150 actual insider threat cases that occurred in U.S. critical infrastructure\n   sectors between 1996 and 2002, and examined them from both a technical and a\n   behavioral perspective. Their research helped them to develop best practices that\n   provide a framework for establishing an insider threat program within an organization\n   and provide defensive measures that could detect or prevent the insider threat. CERT\n   recommends that organizations:\n\n   \xe2\x80\xa2\t Include the insider threat in the enterprise wide risk assessments;\n\n   \xe2\x80\xa2\t Conduct a security awareness campaign to ensure that the insider threat is\n      understood across the organization;\n\n   \xe2\x80\xa2\t Develop and clearly define policies relevant to the insider threat and enforce these\n      policies consistently and fairly; and\n\n   \xe2\x80\xa2\t Secure both the physical and electronic environment, including account and\n      password management, separation of duties, controls for the software development\n      process, change controls, remote access, and privileged user accounts such as those\n      used by system administrators.\n\n\n\n\nwww.oig.dhs.gov                                 3                                   \t    OIG-12-120\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n   Results of Audit\n           TSA Has Taken Steps To Address the Risk of Insider Threats\n\n           TSA has taken a number of steps toward addressing the risk of insider threats to\n           its information systems and data. Specifically, TSA has established an agency\n           wide Insider Threat Working Group and Insider Threat Section responsible for\n           implementing a program to address insider threat risk. In addition, TSA is\n           conducting insider threat vulnerability assessments and checks of privileged user\n           accounts on TSA information systems. Finally, TSA has established a Security\n           Operations Center (SOC) responsible for day to day protection of information\n           systems and data.\n\n           Insider Threat Working Group\n\n           TSA has established an Insider Threat Working Group, formerly referred to as the\n           Insider Threat Task Force (ITTF), to develop an integrated agency wide strategy\n           that coordinates operational plans to prevent, detect, and deter the exploitation\n           of trusted positions that could jeopardize the security of the Nation\xe2\x80\x99s\n           transportation systems.2\n\n           In December 2008, TSA decided to examine insider threats issues, and initially\n           tasked the Office of Inspection (OOI) to lead, develop, and facilitate activities for\n           the agency. In early 2009, OOI established the ITTF, which consisted of agency\n           personnel from the various TSA offices, including Chief Counsel, Information\n           Technology, and Security Operations. Its primary goals were as follows:\n\n           \xe2\x80\xa2\t To communicate the insider threat program\xe2\x80\x99s objectives as they relate to\n              expectations of the current TSA leadership;\n\n           \xe2\x80\xa2\t To collaborate agency wide with the implementation of the insider threat\n              program; and\n\n\n\n\n   2\n    Executive Order 13587 \xe2\x80\x93 Structural Reforms to Improve the Security of Classified Networks and the\n   Responsible Sharing and Safeguarding of Classified Information, issued in 2011, requires agencies that\n   operate or access classified computer networks to implement an insider threat detection program\n   consistent with guidance and standards developed by an interagency, Government-wide insider threat\n   task force. Agencies, such as TSA, will be responsible for implementing an insider threat detection and\n   prevention program consistent with guidance and standards developed by the task force.\n\n\nwww.oig.dhs.gov                                        4                                        \t     OIG-12-120\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           \xe2\x80\xa2\t To provide recommendations to TSA leadership on ways to improve the\n              agency\xe2\x80\x99s ability to coordinate the ongoing insider threat mitigation efforts.\n\n           In 2009, the ITTF proposed a plan to strengthen insider threat mitigation\n           activities. In response to the plan, OOI introduced an Airport Community\n           Engagement Strategy. The strategy included OOI piloting an insider threat\n           awareness campaign and facilitating insider threat Multiple Disciplinary\n           Vulnerability Assessments (MDVAs) at airports on the United States southwest\n           border. The pilots were performed in July 2009. TSA plans to expand the insider\n           threat awareness campaign throughout the TSA workforce.\n\n           In January 2012, the ITTF was re established as the Insider Threat Working\n           Group. The working group consists of agency personnel from various TSA\n           offices, including Office of Chief Counsel, Office of Information Technology, and\n           Office of Security Operations.\n\n           Insider Threat Section\n\n           In January 2011, the leadership of the ITTF was transferred from OOI to the\n           Office of Law Enforcement/Federal Air Marshal Service (OLE/FAMS). Additionally,\n           the facilitation of the MDVA and the insider threat awareness briefings were\n           transferred to OLE/FAMS. In March 2011, a permanent Supervisory Air Marshal\n           in Charge was assigned to manage the insider threat program.\n\n           The Insider Threat Section, along with the working group, is responsible for:\n\n           \xe2\x80\xa2\t Establishing organizational oversight and implementation of an insider threat\n              program;\n\n           \xe2\x80\xa2\t Defining, developing, and promoting specific insider threat policies,\n              procedures, and processes to identify, prevent, and detect potential insider\n              threat risks;\n\n           \xe2\x80\xa2\t Developing and implementing insider threat reporting and handling\n              requirements for mitigating and responding to insider threat risks, events, or\n              attacks; and\n\n           \xe2\x80\xa2\t Developing insider threat requirements for implementing a TSA wide insider\n              threat awareness and training program.\n\n\n\n\nwww.oig.dhs.gov                                 5                                 \t    OIG-12-120\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n           The Insider Threat Section is a central location in TSA for reporting insider threat\n           risks and coordinating insider threat investigations, which may involve TSA\n           offices, external partners, and law enforcement officials. The section evaluates\n           allegations of insider threat incidents, gathers critical information, and preserves\n           evidence.\n\n           The section may conduct law enforcement actions to evaluate an allegation of an\n           insider incident, gather critical information, or preserve evidence. It coordinates\n           with the Department of Homeland Security (DHS) Office of Inspector General\n           (OIG), TSA Office of Inspection, the Federal Bureau of Investigation (FBI), or other\n           agencies as necessary to ensure that criminal or administrative allegations are\n           investigated within the appropriate jurisdiction. Insider threat issues that occur\n           at airports are typically reported to the coordinating office by the TSA Assistant\n           Federal Security Director for Law Enforcement.\n\n           The section has established a toll free, 24 hour hotline number and an email\n           address specifically for employees and stakeholders to report possible insider\n           threat incidents. It has also developed a brochure and informational poster for\n           employees regarding the Insider Threat Program. The brochure addresses such\n           topics as the motives or personal factors/situations and organizational situations\n           that may increase the likelihood of an insider threat, and behaviors that may\n           offer clues that an employee poses as an insider threat. The informational\n           poster provides basic insider threat indicators and reporting procedures. The\n           brochure and poster are currently pending TSA leadership approval.\n\n           Multiple Disciplinary Vulnerability Assessments\n\n           The Insider Threat Section performs MDVAs designed to identify and remedy\n           instances that an employee might target with the intent of causing harm from\n           inside the airport environment. The multilayered approach used in the\n           assessments gathers and analyzes identified vulnerabilities from programs or\n           processes that include information systems within the airport security\n           environment. At the end of each assessment, the team suggests\n           countermeasures for improving the airport\xe2\x80\x99s insider threat security posture to\n           the Federal Security Director (FSD) and airport authority.3 The methodology\n           used in the insider threat assessment includes:\n\n\n\n   3\n    As the highest-ranking TSA employees at federalized airports, FSDs manage Federal airport security staff\n   and operations, and lead and coordinate TSA security activities.\n\n\nwww.oig.dhs.gov                                        6                                             OIG-12-120\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           \xe2\x80\xa2\t Interviewing the FSD, FSD staff, TSOs, and TSA IT specialists assigned to the\n              airport, and airport employees. The interviews are conducted to identify and\n              confirm potential airport insider threat vulnerabilities.\n\n           \xe2\x80\xa2\t Performing insider threat technical vulnerability assessments of TSA\xe2\x80\x99s IT\n              infrastructure, including networks, servers, and hosts at airports. TSA\n              performs insider threat technical security assessments of the Transportation\n              Security Administration Network General Support System (GSS),\n              Infrastructure Core Services GSS, and End User Computing Major Application.\n\n           \xe2\x80\xa2\t Performing insider threat physical security assessments of the entire airport\n              to determine vulnerabilities that could be breached, including locations of\n              TSA\xe2\x80\x99s IT infrastructure.\n\n           \xe2\x80\xa2\t Performing insider threat analysis obtained during these assessments to\n              identify vulnerabilities an employee could exploit from inside the airport\n              environment. These vulnerabilities could be personnel, physical, or\n              information systems related.\n\n           TSA performs these quarterly assessments in collaboration with entities\n           including other TSA internal offices, the FBI, U.S. Customs and Border Protection,\n           U.S. Immigration and Customs Enforcement, U.S. Citizenship and Immigration\n           Services, and the Federal Emergency Management Agency. In addition, specific\n           air carriers, airport police, and U.S. Attorney\xe2\x80\x99s Office personnel have participated.\n\n           Since 2009, 11 MDVAs have been performed. OOI performed eight assessments,\n           including three pilots, and OLE/FAMS performed three assessments.\n\n           Technical Insider Threat Vulnerability Assessments\n\n           Separate from MDVAs, the Office of Information Technology (OIT) performs\n           technical insider threat vulnerability assessments at selected airports. The\n           assessments are part of a process to specifically address the insider threat from\n           an information security perspective. Since 2011, OIT has performed these\n           assessments at two airports. OIT plans to formalize the assessment process and\n           regularly perform these assessments at selected airports. This assessment\n           methodology includes:\n\n           \xe2\x80\xa2\t Conducting interviews at the airport with TSA personnel to determine where\n              potential insider threat issues exist.\n\n\n\nwww.oig.dhs.gov                                  7                                   \t   OIG-12-120\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n           \xe2\x80\xa2\t Observing and inspecting TSA\xe2\x80\x99s operations at the airport, including the\n              screening areas, baggage handling areas, and other TSA areas to identify\n              potential insider threat risks related to information systems.\n\n           \xe2\x80\xa2\t Conducting technical vulnerability assessments of TSA\xe2\x80\x99s IT infrastructure at\n              the airport and off site administrative offices. The assessments will include\n              TSA\xe2\x80\x99s technical infrastructure, servers, and hosts. If identified vulnerabilities\n              require further analysis, TSA will obtain images of the computer hard drives\n              and perform forensic analysis.\n\n           \xe2\x80\xa2\t Communicating issues identified during the assessments with the local FSD at\n              the airport to remediate.\n\n           Compliance Checks of Information System Privileged Accounts\n\n           Employees with privileged access to information systems have a greater\n           opportunity to perform insider attacks, as their elevated user accounts may give\n           them the opportunity to bypass system controls in place to mitigate the insider\n           threat risk.\n\n           OIT performs periodic checks of privileged user accounts on selected information\n           systems to verify that policies for secure implementation, monitoring, and\n           maintenance of access controls are properly applied.4 These checks are\n           performed under the direction of the TSA Chief Information Security Officer\n           (CISO), and their objective is to determine if selected technical, operational, and\n           management security controls, per DHS Sensitive Systems Policy Directive 4300A,\n           are implemented and operating as expected.\n\n           As described in TSA\xe2\x80\x99s Standard Operating Procedure (SOP) Privileged Access,\n           privileged system account holders (e.g., system administrators) are subject to a\n           formal authorization that includes approval by the TSA CISO. By performing\n           these checks, TSA verifies that users who require elevated access to perform\n           their current job functions have been approved.\n\n\n\n\n   4\n    TSA defines a privileged account as an information system account with rights that enable a user to take\n   actions that may affect computing systems, network communication, or the accounts, files, data, or\n   processes of other users.\n\n\nwww.oig.dhs.gov                                        8                                       \t     OIG-12-120\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n           TSA Security Operations Center\n\n           Research conducted by CERT has shown that logging and monitoring employees\xe2\x80\x99\n           behavior while they are using Government issued computer or network\n           resources will provide a better opportunity to identify suspicious insider activity\n           before a serious breach of security can occur. TSA\xe2\x80\x99s SOC is responsible for day\n           to day monitoring of computer networks and information systems and data.\n           This includes real time analysis of computer system security event logs and\n           computer security incident response as needed.\n\n           The SOC collects data and alerts from the following technology assets to\n           determine if insider threat activity is occurring:\n\n           \xe2\x80\xa2\t Firewall Logs \xe2\x80\x93 Reviewing the logs could provide evidence that an insider\n              changed the firewall \xe2\x80\x9crules set\xe2\x80\x9d to permit inappropriate activities.\n\n           \xe2\x80\xa2\t Antivirus Logs \xe2\x80\x93 Reviewing the logs could identify an insider who turns off or\n              disables antivirus software, which allows the insider to install malicious files\n              such as viruses, Trojans, or logic bombs.\n\n           \xe2\x80\xa2\t Intrusion Detection System Logs \xe2\x80\x93 Reviewing the logs for network and\n              system activities could identify malicious insider activities or policy violations.\n\n\n           Challenges Remain in Implementing a Robust Insider Threat Program\n\n           Although TSA has made progress toward addressing the insider threat risk on\n           many levels, more remains to be done to implement a robust insider threat\n           program. Specifically, TSA can further strengthen its program by implementing\n           specific insider threat policies, procedures, and a risk management plan for the\n           insider threat. TSA needs to implement an insider threat training and awareness\n           program for the entire TSA workforce. Further, TSA should strengthen its\n           situational awareness security posture by centrally monitoring all information\n           systems and by augmenting current controls to detect or prevent instances of\n           unauthorized removal or transmission of sensitive information outside of TSA\xe2\x80\x99s\n           network boundaries.\n\n           Insider Threat Policies and Procedures\n\n           TSA needs to further develop its program by implementing insider threat specific\n           policies and procedures to provide a consistent and clear message to all\n\n\nwww.oig.dhs.gov                                  9                                   \t    OIG-12-120\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           employees regarding their role and responsibility for mitigating the insider threat\n           risk on a consistent basis. The initial public draft of National Institute of\n           Standards and Technology (NIST) 800 53 Revision 4, Security and Privacy Controls\n           for Federal Information Systems and Organizations, recommends that an\n           organization develop an insider threat program with clearly defined policies and\n           consistent enforcement of these policies to achieve maximum effectiveness. The\n           Insider Threat Section plans to develop and implement formal insider threat\n           specific policies and procedures that align with existing DHS and TSA policies.\n\n           Further, TSA needs to implement a risk management plan specifically addressing\n           the insider threat risk. According to CERT, many organizations that have suffered\n           a loss from an insider threat have done so, at least partially, because of\n           hindrances to effective communication and risk management across departments\n           and their subcomponents. A risk management plan would help ensure that all\n           employees are aware of and addressing risk consistently and continually across\n           the enterprise.\n\n           Without insider threat specific policies and an insider threat based risk\n           management plan, there may not be a consistent understanding of the broad\n           spectrum of risks facing TSA.\n\n           Insider Threat Specific Training and Awareness Is Needed\n\n           TSA does not have an agency wide required training and awareness program\n           that specifically addresses the insider threat. The Insider Threat Working Group\n           is currently identifying insider threat training and awareness needs for all\n           employees, contractors, and Government partners. Once management\n           directives, policies, and standard operating procedures are implemented, TSA\n           plans to create and implement the appropriate insider threat training and\n           awareness activities. The training being developed will include insider threat\n           indicators and processes for reporting suspicious insider threat behavior.\n\n           Until insider threat training and awareness for the workforce is implemented,\n           employees, contractors, and partners may not have the knowledge to recognize\n           and help TSA respond to potential insider threats or actual attacks.\n\n           Protection of Controlled Information\n\n           Protecting controlled information (i.e., sensitive but unclassified or proprietary)\n           is critical to mitigating the insider threat risk to organizations. CERT studied a\n           variety of insider threat cases that revealed circumstances in which insiders\n\n\nwww.oig.dhs.gov                                 10                                       OIG-12-120\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           carried out attacks through the unauthorized download of information to\n           portable media or external storage devices. In some instances, malicious\n           insiders used email or software protocols to plan their attacks or transmit\n           sensitive or proprietary information to competitors or conspirators.\n\n           TSA needs to implement additional protective measures to detect or prevent\n           instances where unauthorized employees using portable media devices (e.g.,\n           universal serial buses, or USBs) to copy or remove sensitive data from desktop\n           and laptop computers. According to TSA officials,\n\n\n\n\n                                 TSA could implement a variety of monitoring techniques to\n           detect or prevent data loss, including data loss detection tools, enterprise\n           configuration management tools, or host and network based intrusion detection\n           systems. Without these tools, TSA increases the risk of sensitive data being lost,\n           stolen, or destroyed, which could adversely affect TSA property, personnel, or\n           passengers.\n\n           Until such tools are utilized across the network enterprise, TSA could implement\n           lesser protective measures to help mitigate this threat. For example, where\n           there is no legitimate \xe2\x80\x9cbusiness need\xe2\x80\x9d to have USB ports active on desktop or\n           laptop computers, system administrators could disable those ports. Where\n           there is no business need to maintain unlimited file attachment sizes, system\n           administrators could limit the size allowed for file attachments sent via email or\n           transfer protocols, making it more difficult for a malicious insider to exfiltrate\n           large amounts of sensitive data outside of TSA networks without being detected.\n\n           Central Monitoring of Information Systems\n\n           The SOC currently monitors 60 of 77 unclassified information systems across the\n           TSA enterprise. The remaining systems are monitored either by the system\n\n\n\nwww.oig.dhs.gov                                11                                        OIG-12-120\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           administrator responsible for each system or not at all. Some of these systems\n           are not connected to the TSA network or the Internet.\n\n           In 2009, TSA made a risk based decision not to have the SOC monitor the\n           remaining 17 information systems because TSA leadership considered them \xe2\x80\x9cnon\n           mission critical systems.\xe2\x80\x9d However, as part of required security authorization\n           packages, system administrators or owners are required to reassess the Federal\n           Information Processing Standards 199 security categorization at least every 3\n           years or when significant changes to the system occur. TSA should reassess the\n           2009 decision not to monitor these systems based on their perceived low risk\n           categorization.\n\n           TSA officials also cited prohibitive cost as a factor in the decision not to extend\n           the monitoring capabilities of the SOC to include these systems. Although TSA\n           has implemented a formal procedure for security breaches on these systems to\n           be reported to the SOC, system administrators tasked to oversee these systems\n           separately may miss an instance of a security breach, because they cannot be\n           expected to review the system\xe2\x80\x99s audit or configuration logs at all times.\n\n           According to the TSA IT Security Handbook, all information systems security\n           event information is required to be aggregated at a central location. The role of\n           the SOC is to act as a single focal point to provide enhanced situational\n           awareness on IT operational and security issues throughout the enterprise. This\n           positions the SOC to identify, prioritize, and address potential insider threat risks\n           in a timely manner.\n\n           Without central monitoring of all information systems, TSA will not have the\n           ability to respond to potential insider threat risks in a timely manner. OIT\n           notified administrators of systems not currently monitored by the SOC that they\n           must either seek an exception to remain that way or arrange to become part of\n           the SOC monitoring. To date, there is no specific timeline to complete this\n           effort.\n\n\n\n\nwww.oig.dhs.gov                                 12                                       OIG-12-120\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n           Recommendations\n\n           We recommend that the Assistant Administrator for Information Technology for\n           TSA:\n\n           Recommendation #1:\n\n           Further develop the insider threat program to include policies, procedures, and a\n           risk management plan pertinent to the insider threat.\n\n           Recommendation #2:\n\n           Implement an insider threat training and awareness program for the entire TSA\n           workforce.\n\n           Recommendation #3:\n\n\n                                                                                direct\n\n           system administrators to disable USB ports on desktop and laptop computers if\n           there is not a legitimate business need for them to be activated.\n\n           Recommendation #4:\n\n           Until protective measures are implemented to detect or prevent unauthorized\n           exfiltration of sensitive information outside TSA\xe2\x80\x99s network, direct system\n           administrators to limit the size of email file attachments if there is not a\n           legitimate business need for such attachments.\n\n\n\n\nwww.oig.dhs.gov                               13                                     OIG-12-120\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           Management Comments and OIG Analysis\n\n           We obtained written comments on a draft report from the TSA Administrator.\n           We have included a copy of the comments, in its entirety, in appendix B. TSA\n           concurred with recommendations #1 and #2 and did not concur with\n           recommendations #3 and #4.\n\n           TSA Comments to Recommendation #1\n\n           TSA concurs with recommendation #1. TSA stated that it has developed a\n           management directive (MD) that provides TSA policy and procedures for the\n           establishment, integration, and implementation of the Insider Threat Program.\n           The MD is currently in draft pending coordination with other TSA program entities.\n           When approved and implemented, the MD is intended to serve as the\n           foundation for the insider threat specific risk management plan that will identify\n           procedures to use to manage risk throughout the life cycle of an insider threat\n           related activity.\n\n           OIG Analysis\n\n           We agree that the actions being taken satisfy the intent of this recommendation.\n           This recommendation will remain open until TSA provides documentation to\n           support that the planned corrective actions are completed.\n\n           TSA Comments to Recommendation #2\n\n           TSA concurs with recommendation #2. TSA stated that is has an insider threat\n           awareness program, as evidenced by a March 8, 2012, broadcast message\n           entitled TSA\'s Insider Threat Program. The broadcast message defines an insider\n           threat and announced the Insider Threat Program\xe2\x80\x99s newly established toll free,\n           24 hour hotline number, and email address to report possible insider threat\n           incidents.\n\n           TSA intends to disseminate and place insider threat posters and tri fold\n           brochures throughout TSA Headquarters and field locations. After the\n           finalization and implementation of the Insider Threat Program MD, TSA will\n           develop insider threat specific training that will likely be delivered to the agency\n           workforce through TSA\xe2\x80\x99s Online Learning Center.\n\n           The insider threat assessments performed by TSA have recently been enhanced\n           to include insider threat training to FAMS Field Office personnel and individuals\n\n\nwww.oig.dhs.gov                                 14                                       OIG-12-120\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           that participate in the assessments at the selected airports. The training will\n           include an overview of the Insider Threat Section\xe2\x80\x99s roles and responsibilities, as\n           well as the roles and responsibilities of those participating in or supporting the\n           assessments.\n\n           OIG Analysis\n\n           We agree that the actions being taken satisfy the intent of this recommendation.\n           This recommendation will remain open until TSA provides documentation to\n           support that the planned corrective actions are completed.\n\n           TSA Comments to Recommendation #3\n\n           TSA did not concur with recommendation #3. TSA stated that it uses USB ports\n           for operational purposes and it would not be feasible to implement the\n           recommendation.\n\n\n\n           TSA includes insider threat in its risk based approach to vulnerabilities and views\n           insider threat in every aspect of the TSA mission, including the implementation\n           of protective measures such as physical security, technical controls, and training\n           and awareness. TSA is in the process of creating an Insider Threat Program. TSA\n           OIT has Security Operating Centers that monitor both classified and unclassified\n           systems.\n\n           TSA utilizes a gateway application through DHS Trusted Internet Connections and\n           Policy Enforcement Points, which provide alerts when data is transferred outside\n           of the DHS network. TSA continuously works with DHS to fine tune the\n           application for improved notification services within the TSA network. TSA plans\n           to implement policy, procedures, and training to increase awareness, compliance,\n           and accountability among all TSA employees and contractor staff.\n\n           OIG Analysis\n\n           We consider this recommendation unresolved and will require additional\n           discussion between our offices before disposition. We do not agree with TSA\xe2\x80\x99s\n           statement that it uses USB ports for operational purposes and that it would not\n           be feasible to implement the recommendation.\n\n           We recognize that TSA has established an agency wide Insider Threat Working\n           Group, Insider Threat Section, and implemented security monitoring at Security\n\n\nwww.oig.dhs.gov                                15                                       OIG-12-120\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           Operating Centers for 60 unclassified systems. However, TSA has not yet\n\n           implemented\n                                                                       Although DHS is\n           working toward adoption of                           TSA has not implemented\n           centralized and aggregated monitoring of all 77 unclassified TSA information\n           systems across the enterprise, as required by the TSA IT Security Handbook. As\n           discussed with TSA, this recommendation was meant to serve as a lesser and\n           interim protective measure\n\n\n\n\n\n                                                      This recommendation can be\n           implemented using inexpensive\n\n           TSA should reconsider its response to this recommendation and take the\n           necessary steps to address this potential insider threat risk.\n\n           TSA Comments to Recommendation #4\n\n           TSA did not concur with recommendation #4. TSA stated that its physical and\n           automated security controls prevent inadvertent access to sensitive data and\n           that it uses role based scenarios and periodic review of all security controls prior\n           to receiving an approval to operate systems where sensitive data is housed.\n\n           According to TSA, NIST 800 45, Guidelines on Electronic Mail Security,\n           recommends that organizations should consider restricting the maximum\n           applicable size for email attachments. Additionally, DHS MD 4500.1, DHS E Mail\n           Usage, gives the Chief Information Officer (CIO) the responsibility for\n           establishing individual mail message size (including attachments) and total\n           mailbox size limits. Accordingly, TSA currently limits the size of email\n           attachments to 20 megabytes for all employees.\n\n           TSA stated that email size limitations would not inhibit the ability of insiders to\n           copy or disseminate sensitive information. TSA recognizes that sensitive\n           information can be copied or disseminated through various methods, including\n           sending multiple email attachments, sending emails with embedded sensitive\n\n\n\nwww.oig.dhs.gov                                 16                                       OIG-12-120\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           information, printing sensitive information, or copying sensitive information by\n           hand.\n\n           The TSA strategy for addressing insider threat is a risk based approach that\n           includes the following: an Insider Threat Program, Insider Threat Assessment,\n           Cyber Security Awareness and Outreach Program, Technical Insider Threat\n           Vulnerability Assessment, and compliance checks of information systems\n           privileged accounts.\n\n           OIG Analysis\n\n           We consider this recommendation unresolved and will require additional\n           discussion between our offices before disposition. We do not consider TSA\xe2\x80\x99s\n           comments responsive to the recommendation that email file attachment size\n           should be limited if there is not a legitimate business need for such attachments.\n\n           We recognize that TSA has established an Insider Threat Program, conducts\n           insider threat vulnerability assessments, and performs compliance checks of\n           information systems privileged accounts.\n\n\n\n                                                                               As\n           discussed with TSA, this recommendation was meant to serve as a lesser and\n           interim protective measure until TSA has implemented the appropriate\n           protective measures.\n\n           DHS MD 4500.1, DHS E Mail Usage, gives email system administrators the\n           responsibility for implementing and maintaining appropriate security features\n           and controls. Although DHS users are responsible for adhering to the CIO\xe2\x80\x99s\n           guidelines on email message size, only administrators at the direct system level\n           have both the control and responsibility to address the security risk posed by\n           exfiltration of sensitive information. Furthermore, administrators can impose\n           email size limitations based on the specific and unique needs of user roles and\n           accounts. For example, 79 percent of TSA\xe2\x80\x99s workforce are TSOs, who have a\n           minimal need to attach sensitive information to email files on a daily basis.\n\n           Implementing different, but appropriate security schemes and settings to the\n           email accounts based on business needs, is a crucial step for TSA to limit its\n           exposure to potential insider threat risks. TSA should reconsider its response to\n\n\n\nwww.oig.dhs.gov                                17                                     OIG-12-120\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n           this recommendation and take the necessary steps to address this potential\n           insider threat risk.\n\n\n\n\nwww.oig.dhs.gov                              18                                     OIG-12-120\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n   Appendix A\n   Objectives, Scope, and Methodology\n   The Department of Homeland Security (DHS) Office of Inspector General (OIG) was\n   established by the Homeland Security Act of 2002 (Public Law 107 296) by amendment\n   to the Inspector General Act of 1978. This is one of a series of audit, inspection, and\n   special reports prepared as part of our oversight responsibilities to promote economy,\n   efficiency, and effectiveness within the Department.\n\n   The objective of this audit was to assess the progress that TSA has made toward\n   protecting its information systems and data from the threat posed by trusted employees.\n\n   During the audit, we assessed TSA\xe2\x80\x99s:\n\n   \xe2\x80\xa2   Insider threat management process;\n   \xe2\x80\xa2   Ability of selected employees to monitor and report suspicious employee behavior;\n   \xe2\x80\xa2   Insider threat security policies;\n   \xe2\x80\xa2   Insider threat security training and awareness; and\n   \xe2\x80\xa2   Four unclassified information systems critical to the mission of TSA.\n\n   Appendix D provides information on the systems selected for the assessment, relevant\n   security controls selected, and the assessment results.\n\n   Fieldwork was conducted at:\n\n   \xe2\x80\xa2   TSA Headquarters, Arlington, Virginia;\n   \xe2\x80\xa2   Denver International Airport, Denver, Colorado;\n   \xe2\x80\xa2   Colorado Springs Airport, Colorado Springs, Colorado;\n   \xe2\x80\xa2   Washington Dulles International Airport, Sterling, Virginia;\n   \xe2\x80\xa2   Charlotte Douglas International Airport, Charlotte, North Carolina;\n   \xe2\x80\xa2   Raleigh Durham International Airport, Morrisville, North Carolina;\n   \xe2\x80\xa2   Ronald Reagan Washington National Airport, Arlington, Virginia;\n   \xe2\x80\xa2   Colorado Springs Operations Center;\n   \xe2\x80\xa2   Annapolis Junction Operations Center;\n   \xe2\x80\xa2   TSA Security Operations Center, Ashburn, Virginia;\n   \xe2\x80\xa2   TSA Freedom Center, Herndon, Virginia;\n   \xe2\x80\xa2   Federal Air Marshal Service Facility, Egg Harbor Township, New Jersey; and\n   \xe2\x80\xa2   DHS Data Center, Clarksville, Virginia.\n\n\n\n\nwww.oig.dhs.gov                               19                                     OIG-12-120\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n   Fieldwork was performed through conference calls or data calls for the San Francisco\n   International Airport in San Francisco, California, and the Portland International Airport in\n   Portland, Oregon.\n\n   We conducted this performance audit between September 2011 and March 2012\n   pursuant to the Inspector General Act of 1978, as amended, and according to generally\n   accepted government auditing standards. Those standards require that we plan and\n   perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\n   basis for our findings and conclusions based upon our audit objectives. We believe that\n   the evidence obtained provides a reasonable basis for our findings and conclusions\n   based upon our audit objectives.\n\n   We appreciate TSA\xe2\x80\x99s efforts to provide the necessary information and access to\n   accomplish this audit. Major OIG contributors are identified in appendix E.\n\n\n\n\nwww.oig.dhs.gov                                 20                                       OIG-12-120\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\n   Appendix B\n   Management Comments to the Draft Report\n\n\n\n                                                                                 \'e.\xc2\xb7.\n                                                                                         u.s. Df,p."IUH\' or Ito. tt.lld SKull)\'\n                                                                                         601 Soulh 121h SUUI\n                                                                                         AJh~VA       m98\n\n                  JUN 2 5 2012                                               ;           Transportatio n\n                                                                                         Security\n                                                                                 ..\n                                                                             ~, ~ .~..   Administration\n\n\n                                                       lNfORMATlON\n\n\n              MEMORANDUM FOR,                Frank DefTer\n                                             Assisllmt Inspector General\n                                             Information Technology Audits\n\n                                             John s. PiSloi.tJ...-~;J"Y\n                                             Administrator v~\n\n                                             Transportation Security Administration\'s (fSA) Response 10\n                                             Department of Homeland Security (OI\'IS) Office oflnspector\n                                             General\'s (DIG) Draft Report Titled Transporflltion Security\n                                             Administration Has Taken Steps To Address the Insider Threat But\n                                             Challenges Remain. DIG Projeci No. Il \xc2\xb7064\xc2\xb7JTA\xc2\xb7TSA\n\n\n\n\n              This memorandum constitutes TSA \'s formal Agency response 10 the DHS O IG draft report\n              Transportation SecurilY Administration Has Taken Steps To Address the Insider Threat But\n              Challenges Remain. TSA appreciates the opportunity to review and provide comments to your\n              draft report.\n\n              Background\n\n              In August 2011. OIG began a review ofTSA\'s efTorts to address insider threat risks. DIG\'s\n              objecti ve was to assess the progress that TSA made toward protecting its information systems\n              and data from the threat posed by trusted employees. DIG conducted its fieldwork from\n              September 2011 to March 2012.\n\n              During this review, DIG assessed TSA\'s insider threat management process: abil ity of selected\n              employees to monitor and report suspicious cmployee behavior: insider threat security policies:\n              insider threat security training and awareness; and fou r unclassified infonnation systems critical\n              to the mission ofTSA.\n\n\n\n\nwww.oig.dhs.gov                                                   21                                                              OIG-12-120\n\x0c                                       OFFICE OF INSPECTOR GENERAL\n                                             Department of Homeland Security\n\n\n                                                                                                                       2\n\n\n\n\n                  Discussion\n\n                  As noted in the draft repon. OIG\'s objective was 10 "assess the progress that TSA has made\n                  toward protecting its information systems and data from the threat posed by trusted em ployees."\n                  DHS DIG noted that TSA has made progress in addressing the in formatio n technology insider\n                  threat. Spec ifically, the report states that \'\'TSA established an agency-wide Insider Threat\n                  Worki ng Group and Coordi nating Office responsible for developing an integrated st rategy and\n                  program 10 address insider threat risk." TSA appreciates OIO\'s recogni tion ofTSA\'s efforts to\n                  address insider threat risks by conducting insider threat vul nerability assessments that incl ude\n                  personnel, physical. and information systems a l selected airports and oIT-si te offices; performing\n                  checks on privileged user accounts on TSA unclassified systems (which include pri vileged\n                  access accounts and ri ghts grantcd to system admi ni strators or to other employees whose job\n                  duties require specific privileges over an infonnation system or network); and establishing a\n                  Security Operati ons Center responsible for the d ay~t o-day protection of information systems and\n                  data that can detect and respond to an insider threat incident.\n\n                  There are several items contained in the report TSA would like to clarify. In reference to the\n                  definition of insider threat, TSA seeks to clarify that it defines an insider threat as "One or more\n                  individuals with acceSs a nd/or insider knowledge that allows them to exploit the vulnerabilities\n                  of the ation\'s transportation systems with the intent to cause hann. This includes di rect risks\n                  associated with TSA \'s security programs, operations, and indirect risks that may com promise our\n                  critical infrastructure." T he referenced definition was disseminated to the entire TSA workforce\n                  through a TSA broadcast message on March 8, 2012, as part ofTSA\'s Insider Threat Program\n                  awareness campaign.\n\n                  With respect to steps TSA has taken to address the risk of insider threats, specifically as it\n                  concerns the Insider Threat Working Group (ITWG) and the Insider lltreat Section, TSA seeks\n                  to clarify, for historica l accuracy, the evol ution of these enti lies and associated nome nclatures.\n                  In December 2008, TSA\'s Office of Inspection (001) was tasked by TSA leadership to lead\n                  and/or coordinate the Agency\'s insider threat initiatives, to eventually incl ude the Insider Threat\n                  Task Force (ITTF), which was re -established in January 2012 as the Insider Threat Working\n                  Group (ITWG). Similar to the ITTF, the ITWG consists of Agency personnel from various TSA\n                  offices, including the Office of Chief Counsel, Office of Information Technology, and Office of\n                  Security Operations.\n\n                  In response to thc ITfF\' s proposed plan to strengthen insider threat mitigation activities, in 2009,\n                  001 introduced an Airport Community Engagement Strategy (ACES). The strategy incl uded\n                  001 piloting an insider threat awareness campaign and faci litating insider threat Multiple\n                  Disciplinary Vulnerability Assessments (MDV As) at airpo rts on the United States southwest\n                  border.\n\n                  One of the ITTF\'s recommendations to TSA leadership was to establish an insider threat\n                  coordi nation office that would be responsible fo r coordinating TSA\'s insider threat program\n                  efforts. In January 2011, in response to this recommendation, TSA established the Insider lOreat\n\n\n\n\nwww.oig.dhs.gov                                                   22                                                       OIG-12-120\n\x0c                                       OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\n                                                                                                                         3\n\n\n\n\n                  Section w ithin TSA\'s Office of Law EnforcementIFederal Air Marshal Service (OLEIFAMS).\n                  The Insider Threat Section is responsible for the lTWG (fannerly the ITTF), as well as\n                  facilitation of the MDVA and insider threat awareness briefings.\n\n                  The purpose for and primary goals Oflhc ITWG are consistent with those of the IlTF; however.\n                  the Insider Threat Section, along with the working group, is also responsible for the fo llowing:\n\n                            Establishing organizational oversight of an insider threat program;\n\n                            Defining, developing, and promoting specific insider threat policies, procedures, and\n                          processes to identify. prevent, and detect potential insider threat risks;\n\n                          \xe2\x80\xa2 Developing and implementing insider threat reporting and handling requirements for\n                          mitigating and responding to insider threat risks, events, or attacks; and\n\n                          \xe2\x80\xa2 Developing insider threat requirements for implementing a TSA-wide insider threat\n                          awarcness and training program.\n\n                  The Insider Threat Section\'S coordination with other DHS or TSA offices, and/or other agencies,\n                  is not strictly limited to the investigation of criminal allegations. Coordination may also occur\n                  pursuant to an investigation of administrative allegations. Addi tionally, under the current model,\n                  the Insider Threat Section oversees the follOwing three functional areas or program sections:\n\n                            Insider Threat Assessments (ITAs)\n\n                            Training and Awareness\n\n                            Operations: Referrals and Mitigation.\n\n                  With respect to the number of MDVAs perfonned by TSA, since 2009 it has conducted II, as\n                  opposed to five as indicated in the report. 001 facilitated eight MDV As, including three pilots;\n                  and to date, OLEIFAMS has facilitated three MDVAs,\n\n                  Statements within the report portray an absence of any insider threat education, training, and\n                  awareness at TSA. A lthough TSA does not have an Agency-wide required training and\n                  awareness program that specifically addresses insider threat, it has mandatory Online Learning\n                  Center courses that include aspects of awareness and recognition of insider threat activities, e.g.,\n                  TSA Security Orientation, Classified National Security Information (CNSI) jor TSA Employees\n                  and Contractors, Fundamentals ojCNSl, Operations Security Fundamentals (OPSEC), IT\n                  SecllriryAwareness, and TSA Management Directive (MD) 2800.5: Internal Security Reporting:\n                  Foreign Conlacl and Travel. Over the years, awareness programs have been deployed within\n                  TSA that address being alert to external influences and co-worker criminal and intelligence\n                  involvement, programs that have included poster campaigns at Headquarters and field offices.\n                  broadcast messages, and OPSEC or Sensitive Security Infonnation survey visits at major airport\n\n\n\n\nwww.oig.dhs.gov                                                  23                                                          OIG-12-120\n\x0c                                       OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\n                                                                                                                          4\n\n\n\n\n                  offices. While TSA agrees that such efforts are shared among the mult iple TSA program offices,\n                  and not presently issued under one consolidated program, they are representative of the\n                  supporting efforts by program offices within TSA to raise awareness of insider threat.\n\n                  Overall, your recommendations will help us continue improving and implementing a morc robust\n                  insider threat program. TSA has already made significant progress in implementing a more\n                  robust insider threat program, as evidenced by the fact that when audit fie ldwork began, the\n                  Insider Threat Section was only staffed with the Supervisory Air Marshal in Charge. At present,\n                  the Insider Threat Section current ly consists of to full-time employees. Additional ly. a program\n                  specific TSA Management Direct ive (MO) and Concept of Operations (CONOPS), as well as an\n                  infonnational poster and tri-fold brochure, have been developed and arc currently pending\n                  leadership approval. Further, a loll-free, 24-hour hOlline number and e-mail address have been\n                  established specifically for use by employees and stakeholders to report possible insider threat\n                  incidents, reporting methodologies recently disseminated, along wilh a defin ition of an insider\n                  threat, to the TSA workforce on March 8,2012. TSA recognizes the threat posed by the\n                  unauthori7.ed removal. copying. or dissemination of sensitive infonnation and has implemented a\n                  spectrum of protective measures to address these ri sks, including physical security, technical\n                  controls, and employee training.\n\n                  What follows arc TSA\'s specific responses to the recommendations contained in OIG\'s report.\n\n                  Recommendalion I : Further d evelop Ihe insider thrcal program 10 include policies,\n                  procedures, and a risk management plan pertinent to the insider threat.\n\n                  TSA Co ncurs: TSA has devcloped a MD that provides TSA policy and procedures for the\n                  establ ishment, integration, and implementation of the Insider Threat Program. The MD is\n                  currently in draft pending coordination with other TSA program entities. Several or the\n                  procedures accompanying the MD are derived from a CONOrS, which is also currently in draft\n                  pending leadership approval .\n\n                  The implementation of the referenced documents is intended to serve as the foundation for the\n                  Insider Threal Program\'s multi-faceted, insi der threat specific risk management plan, which will\n                  identify procedures to be used 10 manage risk throughout the life-cycle of an insider threat\n                  related activity. Additionally, it will idenlify procedures for performing ri sk identi fi cation and\n                  quantification, planning risk response, implementing contingency plans, a llocating reserves and\n                  documenting results.\n\n                   Recommend ation 2: Implement an insider threat training and awareness program for the\n                  entire TSA workforce.\n\n                  TSA Concurs: TSA has an insider threat awareness program evidenced by a March 8,2012\n                  broadcast message entitled. TSA \'s insider Threat Program, that defined an insider threat and\n                  announced the Insider Thrcat Program\'s newly established loll-free, 24-hour hot line number and\n                  e-mail address to report possible insider threat incidents. Pending are posters and tri-fold\n\n\n\n\nwww.oig.dhs.gov                                                  24                                                           OIG-12-120\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n                                           Department of Homeland Security\n\n\n\n                                                                                                                    5\n\n\n\n\n                  brochures intended fo r dissemination to and placement throughout TSA Headquarters and field\n                  locations. TSA will develop insider threat specific training upon finalization and implementation\n                  of the insider Threat Program MD. Delivery aCthe training 10 the Agency workforce will likely\n                  be through TSA \'s Onli ne Learning Center. IT As have recently been enhanced to include insider\n                  threst training to FAMS Field Office personnel, individuals that will partic.ipate in the ITA\n                  aclivities al the ITA selected airports. The training involves an overview of the Insider Threat\n                  Section\'S roles and responsibilities. BS welles (oles and responsibilities of those participating in\n                  and/or supporting the assessment. These methodologies for raising awareness, coupled with the\n                  Insider Threat MD and accompanying procedures, will equip the workforce with the ability to\n                  recognize and to appropriately respond to a potential or actual insider threat attack.\n\n\n\n\n                  TSA No n-Concu rs: TSA uses USB pons for operational purposes. Therefore, implementation\n                  of the recommendation is not feasible. TSA intends to implement peripheral device mitigating\n                  solut ions through software in future security solution upgrades. TSA include3 insider threat in\n                  irs risk-based approach 10 vulnerab ilities. TSA views insider threat in every aspect of the TSA\n                  mission 10 include the implementation of protective meqsures ranging from physical security,\n                  teciul ical conlrols, training and awa reness, and the stand up of an Insider Threat Program.\n                  Moreover, TSA OrT has specific Security Operating Centers (SOCs) that monitor both classified\n                  and unclassified systems. TSA utilizes a gateway application through DHS TIC and PEP, which\n                  provide alerts when data is transferred outside of the DHS network. TSA continuously works\n                  with DHS to fine -tune the application for imprOVed notification services within the TSA\n                  network. TSA plans to implement policy, procedures. and training to increase awareness,\n                  compliance and accountability among all TSA employees and contractor staff.\n\n                  Recomm en dAtion 4: Until protective meuures I re implement ed io del ed or prevenl\n                  unauthorized ex fill ralion or lCnsitlvc illrormation outside TSA\'~ networ k, di rec t system\n                  adm inistrato" Jll ould li mit tbe site 0( email file attach ments ir there is not a legitimatc\n                  business need ror such attachm ents.\n\n                  TSA Non\xc2\xb7Concurs: TSA physical and automated security colmols prevent inadvertent access to\n                  sensitive datil and uses role based scenarios and periodic review of all security controls prior to\n                  receiving an approvllito operate those systems where sensitive data is housed. NIST 800.45\n                  recommends that organizations should consider restricting the maximum applicable size for\n                  e-mailallactunents. Additionally. DHS MD 4500.1 gives the Chieflnfonnation Officer (CIO)\n                  the responsibility for establishing individual majl message siu (including aUGc-runents) and total\n                  mailbox size limits. Accordingly, TSA currently limits the size of e-mail an.achmcnts to 20MG\n                  for all employees. However, imposing e.-mail size limitations will not inhibit the ability of\n                  "insiders" to copy or disseminate sensitive information. TSA recognizes thai sensitive\n                  infonnation can be copied or dissemim\'lled through various methods, incl uding, but not limited\n\n\n\n\nwww.oig.dhs.gov                                                  25                                                      OIG-12-120\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                           Department of Homeland Security\n\n\n\n                                                                                                                        6\n\n\n\n\n                  to: sending multiple e-ma il attachments, sending e-mails with embedded sensitive information,\n                  printing sensitive information, or copying sensitive information by hand. The TSA strategy for\n                  addressi ng insider threat is a risk- based approach that includes the following: an Insider lbreat\n                  Program, Insider Threat Assessment, Cyber Security Awareness and Outreach Program,\n                  Technical Insider Threat Vulnerability Assessment, and compliance checks of information\n                  systems privileged accounts.\n\n\n\n\nwww.oig.dhs.gov                                                 26                                                          OIG-12-120\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n   Appendix C\n   TSA\xe2\x80\x99s Layers of Security\n   TSA has multiple layers of aviation security that could mitigate the risk of insider threat\n   through individual TSA security programs. These layers of security are designed to deter\n   individuals attempting to carry out terrorist attacks. Figure 1 shows TSA\xe2\x80\x99s 20 layers of\n   aviation security.\n\n   The security layers and the processes they establish could identify risks to aviation\n   security, which could include the insider threat. These security layers include using\n   airport checkpoints, gathering and analyzing intelligence, checking passenger manifests\n   against watch lists, performing random canine searches at airports, and employing\n   Federal flight deck officers and Federal air marshals. These areas are not discussed in\n   the body of the report.\n\n\n\n\nwww.oig.dhs.gov                                27                                       OIG-12-120\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n   Figure 1: TSA\xe2\x80\x99s 20 Layers of Aviation Security\n\n\n\n\n\n   Source: TSA\n\n   According to TSA, each layer has the potential to prevent a terrorist attack; together,\n   the layers create a much stronger security system. Potential terrorists would have to\n   overcome multiple layers to carry out an attack and would most likely fail in their\n   attempts.\n\n   Insider threat related activities are integrated into the security layers. Listed below are\n   individual TSA security programs that could help mitigate the insider threat.\n\n   Personnel Background Investigations and Vetting\n\n   TSA requires all employees and contractors to undergo a background investigation prior\n   to employment. To gain privileged access to secure areas of federalized airports, TSA,\n   airline, airport, and airport vendor employees and contractors must possess a Security\n   Identification Display Area badge granted by the airport authority. Before issuing an\n   identification badge, the airport authority performs a criminal history record check on\n   each individual who needs access. The airport authority provides this information to\n\n\nwww.oig.dhs.gov                                 28                                      OIG-12-120\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                        Department of Homeland Security\n\n\n   TSA, and it is vetted for known threats to transportation or national security. TSA then\n   compares those results to a list of disqualifying offenses.5 If applicants have been\n   convicted in the past 10 years of any of the offenses, they are prohibited from\n   employment.\n\n   Daily, TSA performs perpetual name based vetting of all TSA, airline, airport, and airport\n   vendor employees and contractors. TSA compares the names against various law\n   enforcement and intelligence agency databases to determine whether there is a\n   potential or actual threat to transportation security. If TSA determines that an\n   individual poses a security threat, the information is sent to the appropriate law\n   enforcement or intelligence agencies for further analysis.\n\n   The law enforcement or intelligence agencies determine whether the individual\xe2\x80\x99s\n   identity can be verified and whether the individual continues to pose a threat or is\n   suspected of posing a threat, and notifies TSA. TSA informs airlines or airports when an\n   individual\xe2\x80\x99s access to secure areas must be denied or rescinded.\n\n   Airport Security Playbook Program\n\n   TSA\xe2\x80\x99s Airport Security Playbook program uses security countermeasures designed to\n   detect, deter, and defeat potential insider actions within the Nation\xe2\x80\x99s aviation system.\n   Beginning in 2008, the program was deployed at federalized airports to improve the\n   overall security posture among the airports.\n\n   The playbook includes a predefined list of plays, actions, and scenarios that the Federal\n   Security Director Playbook Coordinator executes on a daily basis in coordination with\n   TSA personnel, local law enforcement, and other DHS agencies at the airport. The\n   program creates a dynamic security environment that increases unpredictability, which\n   is designed to frustrate potential terrorist plans or activities.\n\n   Behavior Detection Officer Program\n\n   TSA established the Behavior Detection Officer (BDO) program to use nonintrusive\n   behavior and analysis techniques to identify potentially high risk passengers and\n   employees. BDOs are trained to detect individuals exhibiting behaviors that indicate\n   they may be a threat to transportation security. BDOs are currently operating at\n   approximately 161 airports nationwide.\n\n\n\n   5\n       See 49 USC 44936(b) and 49 CFR 1542.209(d) for lists of disqualifying offenses.\n\n\nwww.oig.dhs.gov                                          29                              OIG-12-120\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n   Joint Vulnerability Assessments by TSA and the FBI\n\n   TSA and the FBI perform congressionally mandated, periodic joint vulnerability\n   assessments of security at selected airports to assess current and potential threats to\n   the domestic air transportation system. The assessments consider the extent of\n   individuals\xe2\x80\x99 capability and intent to carry out terrorist attacks or related actions against\n   transportation systems and how those individuals might carry out those actions.\n\n   Joint Terrorism Task Forces\n\n   TSA participates in Joint Terrorism Task Forces (JTTFs). JTTFs provide a central location\n   for local, State, and Federal agencies to share terrorism related information and\n   intelligence and to investigate terrorist threats, including insider threats. TSA regularly\n   participates in FBI led JTTFs throughout the United States, including the National JTTF.\n\n   TSA\xe2\x80\x99s Office of Inspection\n\n   TSA\xe2\x80\x99s Office of Inspection performs a variety of activities related to identifying and\n   investigating threats, such as conducting inspections; performing covert testing;\n   conducting criminal and administrative investigations of employees; and identifying and\n   testing vulnerabilities in passenger, baggage, and cargo operations.\n\n\n\n\nwww.oig.dhs.gov                                 30                                       OIG-12-120\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n   Appendix D\n   OIG Assessment of Selected TSA Information Systems\n   Our review of four unclassified information systems critical to the TSA mission and the\n   safety of airline employees, passengers, and the general public included the following:\n\n   \xe2\x80\xa2\t Crew Vetting Program \xe2\x80\x93 Used by TSA to conduct security threat assessments of\n      airline crew members.\n\n   \xe2\x80\xa2\t Mission Scheduler Notification System \xe2\x80\x93 Provides TSA with automated means for\n      mission planning and scheduling for the FAMS.\n\n   \xe2\x80\xa2\t No Fly List (NFL) HTML Database \xe2\x80\x93 Provides TSA, airline carriers, embassies, and\n      other Federal agencies with a current list of individuals who may pose a threat to\n      aviation security, airline carriers, embassies, and other Government agencies. The\n      NFL is created and maintained by the FBI\xe2\x80\x99s Terrorist Screening Center and provides a\n      consolidated list of known or suspected terrorists.\n\n   \xe2\x80\xa2\t Transportation Worker Identification System \xe2\x80\x93 Provides identity credentials for\n      transportation workers who require unescorted access to secure areas of the\n      Nation\xe2\x80\x99s transportation infrastructure.\n\n   Minimum Technical and Physical Security Controls on Information Systems Are Present\n\n   Our review of the technical and physical controls concludes that TSA has applied the\n   minimum required security controls designed to provide reasonable assurance that\n   information systems audited are protected against vulnerabilities that are commonly\n   exploited by attackers.6\n\n\n\n\n   6\n    The DHS 4300A and NIST Special Publication 800-53A, Revision 1, Guide for Assessing the Security\n   Controls in Federal Information Systems and Organizations based controls reviewed included the\n   following: Account Management (AC-2), Separate of Duties (AC-5), Least Privilege (AC-6), Remote Access\n   (AC-17), Audit Review, Analysis, and Reporting (AU-6), Access Restrictions for Change (CM-5), Risk\n   Assessment (RA-3), Physical Environment Protection Policy and Procedures (PE-1), Physical Access\n   Authorizations (PE-2), Physical Access Control (PE-3), Monitoring Physical Access (PE-6), and Visitor\n   Control (PE-7).\n\n\nwww.oig.dhs.gov                                      31                                      \t    OIG-12-120\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n   Minimum Technical Security Controls Applied7\n\n   \xe2\x80\xa2\t TSA has defined processes for creating and deleting information system user accounts.\n\n   \xe2\x80\xa2\t TSA reviews and analyzes information system audit logs for indications of\n      inappropriate or unusual activity and reports findings to the appropriate officials for\n      further action or instruction.\n\n   \xe2\x80\xa2\t Remote access to information systems is restricted to authorized personnel and\n      requires strong authentication accomplished through two factor authentication to\n      access the system.\n\n   \xe2\x80\xa2\t Separation of duties is enforced. Users are assigned duties based on position to\n      prevent one person from having full access to the system in all process activities.\n\n   Minimum Physical Security Controls Applied8\n\n   \xe2\x80\xa2\t Policies and procedures are documented in TSA\xe2\x80\x99s IT Security Policy Handbook (see\n      chapter 3) for implementation guidance for physical and environmental protection\n      of the information system facilities. TSA policies are reviewed and updated annually\n      by the TSA Infrastructure Assurance and Cyber Security Division, Information\n      Assurance Policy Branch.\n\n   \xe2\x80\xa2\t TSA develops and keeps a current list of authorized personnel who have access to\n      the information system facilities. The lists are regularly updated as personnel are\n      added and removed based on hiring, separation, and change in job duties.\n\n   \xe2\x80\xa2\t Buildings and rooms housing information systems, equipment, and data are\n      monitored by real time intrusion alarms and surveillance equipment to detect and\n      respond to physical security incidents.\n\n   \xe2\x80\xa2\t TSA requires visitors to sign in upon entering information system facilities, be\n      escorted during their stay, and sign out upon leaving the facility. Visitor logs are\n      maintained and available for review for 1 year.\n\n   7\n     According to NIST Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal\n   Information Systems, technical controls provide automated protection for unauthorized access or misuse,\n   facilitate detection of security violations, and support security requirements for applications and data.\n   8\n     According to NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal\n   Information Systems and Organizations, physical security controls are part of the physical and\n   environmental protection control family.\n\n\nwww.oig.dhs.gov                                        32                                        \t     OIG-12-120\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n   Appendix E\n   Major Contributors to This Report\n   Richard Saunders, Director\n   Philip Greene, Audit Manager\n   Jason Dominguez, Management Analyst\n   Jamie Horvath, IT Specialist\n   Sandra Ho, IT Specialist\n   Scott He, IT Specialist\n   Michael Horton III, Management and Program Assistant\n   Kelly Herberger, Communications Analyst\n   Craig Adelman, Referencer\n\n\n\n\nwww.oig.dhs.gov                            33                   OIG-12-120\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n   Appendix F\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretariat\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Respective Under Secretary\n   Director of Local Affairs, Office of Intergovernmental Affairs\n   Chief Information Officer\n   Chief Information Security Officer\n\n   Transportation Security Administration\n\n   TSA Administrator\n   TSA Deputy Administrator\n   TSA Chief Information Officer\n   TSA Chief Information Security Officer\n   TSA Audit Liaison\n   FAMS Chief, IT Security\n   FAMS Audit Liaison\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                                34                          OIG-12-120\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'